[Plugin: OpenID] Openid users MUST NOT register when leaving comment!!!

New user accounts are not created when leaving a comment with an OpenID. If an account already exists, and is connected with that OpenID, then the user is logged in, but new accounts are never created. The plugin used to work this way, but it never made sense to me, so I changed it almost a year and a half ago. See the “create local accounts” bullet point on this post from October 2007.

The only way that a new account is created with an OpenID is if the user explicitly logs in at the wp-login.php page. However, this page also respects whether or not you have enabled new account registration. Even if OpenID is successful, new accounts are never created if you have disabled them by un-checking “anyone can register” on the General Settings page in WordPress.

I’m not able to reproduce the behavior you’re describing: creating new WordPress accounts simply be leaving a comment with an OpenID. However, if this is really happening for you, I would most certainly classify it as a bug and would love to discuss more so I can fix it.

As far as an option to disable the OpenID consumer entirely… that is something I have considered. Initially, the plugin was a consumer only, so that didn’t make sense. Now that it is also an OpenID provider, I guess I can imagine that some users would want to disable the consumer, however I’ve heard very, very little demand for this.

Oh. I was a bit incorrect.
Sorry.
Yeah, I believe that openid plugin respects option “anyone can register”.

But you see… The point is that sometimes creation of user profile sometimes needs certain circumstances – in my case, user needs a certain invite code to register and create profile.

Right now I have many users with openid in my blog – I always thaught that these profile were created when they commented posts. My wrong. I believe you that they all used login page. Anyway – not much difference.

The main point is that we can’t really trust those who log in with OPENID. Openid is really a superweak authentication method…

It would be wonderful if in future plugin versions you added two advanced settings:
1) Don’t create openid user profiles;
2) Disable openid consumer support (just don’t include comments.php file)

We would be entirely happy if you implemented this ^____^

Could you explain what you mean by “we can’t really trust those who log in with OPENID” ? I agree that there isn’t a widely used trust layer on top of OpenID right now, but how is that any different than normal WordPress account registration which requires only a username and email address? What does it mean to “trust” that account?

As for “Openid is really a superweak authentication method”, you must be confused with how OpenID works. OpenID in and of itself says nothing about how the user is actually authenticated at the OpenID provider. The fact of the matter is, however, that many OpenID providers provide much stronger authentication than a standard WordPress username/password account. Go take a look at MyVidoop, MyOpenID, and Verisign PIP.

I’ll consider adding more options for enabling portions of the OpenID plugin, while leaving others disabled. In the meantime, you can certainly disable portions yourself, as you’ve already done.

Oh, sorry seems like that once again, I wrote too much, and too little.

I agree that there isn’t a widely used trust layer on top of OpenID right now, but how is that any different than normal WordPress account registration which requires only a username and email address?

Right now, wordpress registrations are usually validated with activation e-mail, matcapcha, or any other capcha. Openid users aren’t validated.
I really don’t want to write it in public, but with openid I will have no problems, for example, spaming for thousands of different identities (even from one web site address. I am not speaking about some openid providers, who allow almost automated openid creation. You won’t be able even to block them with akismet).
After all, allowing user to register means that we trust them even a bit.
But we can’t guarantee that OPENID user is even a human.
That’s why Openid is really a superweak authentication method
.

The fact of the matter is, however, that many OpenID providers provide much stronger authentication than a standard WordPress username/password account. Go take a look at MyVidoop, MyOpenID, and Verisign PIP.

I know that technically, authentication is stronger. You won’t belive, how many times I used OPENID for different hacking purposes ^_^’

Finally, all I mean that – openid user is the same an unverified guest: his openid only means that he owns some kind of url.

So, it’s not good to make such guest a user.

Also, please consider that in many blogs, registered users gain more privileges, then guests – and it’s not correct to give them to a openid guest.

I’ll consider adding more options for enabling portions of the OpenID plugin, while leaving others disabled. In the meantime, you can certainly disable portions yourself, as you’ve already done.

Thank you, that’s all we really want ^_^
Good luck, your openid plugin implementation is still the best.